From owner-freebsd-hackers@FreeBSD.ORG  Sun May 27 23:33:40 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0D1C7106564A;
	Sun, 27 May 2012 23:33:40 +0000 (UTC)
	(envelope-from jamie@FreeBSD.org)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
	by mx1.freebsd.org (Postfix) with ESMTP id CBCA38FC14;
	Sun, 27 May 2012 23:33:39 +0000 (UTC)
Received: from glorfindel.gritton.org (c-174-52-130-208.hsd1.ut.comcast.net
	[174.52.130.208]) (authenticated bits=0)
	by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q4RNXWET011012;
	Sun, 27 May 2012 17:33:33 -0600 (MDT)
	(envelope-from jamie@FreeBSD.org)
Message-ID: <4FC2B9CA.5090301@FreeBSD.org>
Date: Sun, 27 May 2012 17:33:30 -0600
From: Jamie Gritton <jamie@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16
MIME-Version: 1.0
To: sbruno@FreeBSD.org
References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com>
In-Reply-To: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Hackers <freebsd-hackers@FreeBSD.org>,
	Sean Bruno <seanbru@yahoo-inc.com>
Subject: Re: [jail] Allowing root privledged users to renice
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 May 2012 23:33:40 -0000

On 05/25/12 10:48, Sean Bruno wrote:
> I've been toying with the idea of letting jails renice processes ... how
> dangerous and/or stupid is this idea?
>
> ==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 -
> /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ====
> 270a271,275
> + int   jail_allow_renice = 0;
> + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW,
> +&jail_allow_renice, 0,
> +    "Prison root can renice processes");
>
> 3857a3863,3865
> +      case PRIV_SCHED_SETPRIORITY:
> +              if (!jail_allow_renice)
> +                       return (EPERM);

Considering they can only renice their own stuff, and could always just
start a new process anyway, I see very little reason to deny this.

- Jamie